In Pictures: Top 10 botnet targets in the US and worldwide

Level 3 botnet research report
Every day, the security team at network services provider Level 3 Communications monitors approximately 1.3 billion security events; mitigates roughly 22 distributed denial of service (DDoS) attacks; and removes, on average, one control and command (C2) server network. In its new botnet research report, “Safeguarding the Internet,” Level 3 uses its own threat intelligence, combined with other data feeds, to define trends in botnet behavior, DDoS attacks and malware. Read on for some highlights.

Which U.S. metro areas are most targeted?
Silicon Valley tops the list of the 10 most targeted U.S. metro areas, according to Level 3’s analysis of traffic sent by malicious control and command (C2) servers. Based on the amount of traffic passed between malicious botnets and their victims, San Francisco is the next most popular target, followed by: Scottsdale, Atlanta, Seattle, New York, Chicago, Los Angeles, Ashburn (part of the Washington, D.C. metro area), and St. Louis.

Where does botnet traffic come from?
The U.S. generated the most C2 traffic in the first quarter of this year (20% of malicious C2s were based in North America), followed by Ukraine, Russia, Netherlands, and Germany.
From the report: “The United States has a wealth of infrastructure that lends itself to attack execution. Its proximity to valuable targets at home and abroad makes the United States a highly desirable location for criminals to establish a well-connected and stable control point.”
Level 3 botnet research top countriesSee larger image
Which countries are most targeted?
Norway received the most victim traffic across the globe in the first quarter of 2015, followed by: United States, Spain, Sweden, Turkey, Ukraine, China, Pakistan, Poland, and Egypt.
The hardest hit countries – ranked by the absolute number of victims/unique IP addresses

Which countries are most targeted?
Norway received the most victim traffic across the globe in the first quarter of 2015, followed by: United States, Spain, Sweden, Turkey, Ukraine, China, Pakistan, Poland, and Egypt.
The hardest hit countries – ranked by the absolute number of victims/unique IP addresses conversing with C2s – during the quarter were: China (532,000 unique-victim IP addresses), U.S. (528,000), Norway (213,000), Spain (129,000), and Ukraine (124,000).
From the report: “Norway’s C2 volume was reflective of a C2 hosted within a specific Web hosting environment, which caused a sharp spike in identified C2 traffic. … The high volume of attack traffic in the Netherlands correlates to the victim traffic in Norway and Sweden. Proximity to the target plays a large role in the efficacy of these campaigns.”

Estimating the victims
Level 3 found that the average number of infected hosts per control and command (C2) server is 1,700. The firm also reports that 22% of C2 servers perform more than one function, such as malware distribution, DDoS attacking and phishing services. During Q1, the average age of a C2 was 38 days.
From the report: “According to our research, the average number of infected hosts per C2 is 1,700. Over the course of the year, we track 600 to 1,000 C2s, which control millions of infected hosts. The high volume of measureable communications between C2s and their victims suggest there is opportunity for the security community to collaborate and aggressively reduce the number of C2s on the Internet."

Denial-of-service attacks on the rise
The majority (56%) of DDoS attacks are aimed at targets in the U.S., Level 3 says. DDoS attacks in Europe are trending up, the firm says. Looking at DDoS attacks by industry, the biggest target in the first quarter of 2015 was the gaming industry, followed by: Internet service providers, Web hosting companies, research and education firms, and the financial industry.
From the report: “Over the past 2 years, both volumetric and application-layer attacks have increased in frequency. Blended attacks are also on the rise. DDoS attacks are effective when used with other forms of attacks meant to distract IT employees while inserting malware into backend systems to exfiltrate data.”

Malicious traffic generated in Europe
Among the countries in Europe, Ukraine generated the most C2 traffic in the first quarter of the year, followed by: Russia, Netherlands, Germany, France, UK, Romania, Spain, Switzerland, and Italy.
From the report: “While nations around the world are represented in the top 10 global offenders list, the regions generating the highest levels of C2 traffic are Europe and the United States. An average of 20 percent of the C2s we tracked were based in North America with a nearly equal amount launching from the Ukraine and Russia combined. Western Europe and the United Kingdom contributed another 12 percent of C2 traffic. Latin America was the source of only 2 percent of the overall C2 traffic.”

Targets in Europe
On the victim side, the No. 1 targeted country in Europe was Norway, followed by: Spain, Sweden, Ukraine, Poland, Russia, Germany, UK, Greece, and France.

Malicious traffic generated in Latin America
Among the countries in Latin America, Panama generated the most C2 traffic in the first quarter of the year, followed by Argentina, Brazil, and Mexico.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.